$OpenBSD: patch-lib_am_distdir_am,v 1.1 2012/07/20 12:03:50 jasper Exp $

- Fix insecure permissions for directories in distfile build tree. CVE-2009-4029
- Fix insecure permissions used for the top of the distfile build tree. CVE-2012-3386

--- lib/am/distdir.am.orig	Thu Jul 19 15:09:52 2012
+++ lib/am/distdir.am	Thu Jul 19 15:35:08 2012
@@ -192,11 +192,7 @@ if %?DIST-TARGETS%
 endif %?DIST-TARGETS%
 ##
 ## This complex find command will try to avoid changing the modes of
-## links into the source tree, in case they're hard-linked.  It will
-## also make directories writable by everybody, because some
-## brain-dead tar implementations change ownership and permissions of
-## a directory before extracting the files, thus becoming unable to
-## extract them.
+## links into the source tree, in case they're hard-linked.
 ##
 ## Ignore return result from chmod, because it might give an error
 ## if we chmod a symlink.
@@ -209,7 +205,7 @@ endif %?DIST-TARGETS%
 ## the file in place in the source tree.
 ##
 if %?TOPDIR_P%
-	-find $(distdir) -type d ! -perm -777 -exec chmod a+rwx {} \; -o \
+	-find $(distdir) -type d ! -perm -755 -exec chmod u+rwx,go+rx {} \; -o \
 	  ! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \
 	  ! -type d ! -perm -400 -exec chmod a+r {} \; -o \
 	  ! -type d ! -perm -444 -exec $(SHELL) $(install_sh) -c -m a+r {} {} \; \
@@ -326,7 +322,7 @@ distcheck: dist
 ## Make the new source tree read-only.  Distributions ought to work in
 ## this case.  However, make the top-level directory writable so we
 ## can make our new subdirs.
-	chmod -R a-w $(distdir); chmod a+w $(distdir)
+	chmod -R a-w $(distdir); chmod u+w $(distdir)
 	mkdir $(distdir)/_build
 	mkdir $(distdir)/_inst
 ## Undo the write access.
